opentofu · diofeher · Jan 4, 2025 · Jan 5, 2025 · Jan 10, 2025 · Jan 10, 2025
diff --git a/.github/scripts/submit-provider-key.sh b/.github/scripts/submit-provider-key.sh
@@ -41,7 +41,7 @@ if [[ -n "${providername}" ]]; then
 fi
 
 set +e
-go run ./cmd/verify-gpg-key -org "${namespace}" -username "${GH_USER}" -key-file=tmp.key -output=./output.json
+go run ./cmd/verify-gpg-key -org "${namespace}" -provider-data ".." -provider-name "${providername}" -username "${GH_USER}" -key-file=tmp.key -output=./output.json
 verification=$?
 set -euo pipefail
 
@@ -89,4 +89,4 @@ git push -u origin "${branch}"
 # Create pull request and update issue
 pr=$(gh pr create --title "${TITLE}" --body "${msg} ${keyfile/.././} for provider ${namespace}. Closes #${NUMBER}.") #--assignee opentofu/core-engineers)
 gh issue comment "${NUMBER}" -b "Your submission has been validated and has moved on to the pull request phase (${pr}).  This issue has been locked."
-gh issue lock "${NUMBER}" -r resolved
+gh issue lock "${NUMBER}" -r resolved
diff --git a/src/cmd/verify-gpg-key/main.go b/src/cmd/verify-gpg-key/main.go
@@ -8,9 +8,12 @@ import (
 	"net/mail"
 	"os"
 	"regexp"
+	"time"
 
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 
+	"github.com/opentofu/libregistry/metadata"
+	"github.com/opentofu/libregistry/metadata/storage/filesystem"
 	"github.com/opentofu/registry-stable/internal/files"
 	"github.com/opentofu/registry-stable/internal/github"
 	"github.com/opentofu/registry-stable/internal/gpg"
@@ -23,7 +26,10 @@ func main() {
 	keyFile := flag.String("key-file", "", "Location of the GPG key to verify")
 	username := flag.String("username", "", "Github username to verify the GPG key against")
 	orgName := flag.String("org", "", "Github organization name to verify the GPG key against")
+	providerName := flag.String("provider-name", "", "Key used to sign provider-scoped name")
+
 	outputFile := flag.String("output", "", "Path to write JSON result to")
+	providerDataDir := flag.String("provider-data", "..", "Directory containing the provider data")
 	flag.Parse()
 
 	logger = logger.With(slog.String("github", *username), slog.String("org", *orgName))
@@ -36,19 +42,19 @@ func main() {
 		os.Exit(1)
 	}
 
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
 	ghClient := github.NewClient(ctx, logger, token)
 
 	result := &verification.Result{}
 
-	s := VerifyKey(*keyFile)
+	s := VerifyKey(ctx, *logger, *providerDataDir, *keyFile, *orgName, *providerName)
 	result.Steps = append(result.Steps, s)
 
 	s = VerifyGithubUser(ghClient, *username, *orgName)
 	result.Steps = append(result.Steps, s)
 
-	// TODO: Add verification to ensure that the key has been used to sign providers in this github organization
-
 	fmt.Println(result.RenderMarkdown())
 
 	if *outputFile != "" {
@@ -87,13 +93,13 @@ func VerifyGithubUser(client github.Client, username string, orgName string) *ve
 
 var gpgNameEmailRegex = regexp.MustCompile(`.*\<(.*)\>`)
 
-func VerifyKey(location string) *verification.Step {
+func VerifyKey(ctx context.Context, logger slog.Logger, providerDataDir string, location string, orgName string, providerName string) *verification.Step {
 	verifyStep := &verification.Step{
 		Name: "Validate GPG key",
 	}
 
 	// read the key from the filesystem
-	data, err := os.ReadFile(location)
+	keyData, err := os.ReadFile(location)
 	if err != nil {
 		verifyStep.AddError(fmt.Errorf("failed to read key file: %w", err))
 		verifyStep.Status = verification.StatusFailure
@@ -102,7 +108,7 @@ func VerifyKey(location string) *verification.Step {
 
 	var key *crypto.Key
 	verifyStep.RunStep("Key is a valid PGP key", func() error {
-		k, err := gpg.ParseKey(string(data))
+		k, err := gpg.ParseKey(string(keyData))
 		if err != nil {
 			return fmt.Errorf("could not parse key: %w", err)
 		}
@@ -170,6 +176,42 @@ func VerifyKey(location string) *verification.Step {
 		return nil
 	})
 
+	dataAPI, err := metadata.New(filesystem.New(providerDataDir))
+	if err != nil {
+		verifyStep.AddError(fmt.Errorf("failed to create a metadata API: %w", err))
+		verifyStep.Status = verification.StatusFailure
+		return verifyStep
+	}
+
+	providers, err := getProviders(ctx, logger, dataAPI, orgName, providerName)
+
+	if err != nil {
+		verifyStep.AddError(fmt.Errorf("failed to list provider %s: %w", orgName, err))
+		verifyStep.Status = verification.StatusFailure
+		return verifyStep
+	}
+
+	keyVerification, err := buildKeyVerifier(keyData, dataAPI)
+	if err != nil {
+		verifyStep.AddError(fmt.Errorf("failed to build key verifier: %w", err))
+		verifyStep.Status = verification.StatusFailure
+		return verifyStep
+	}
+
+	for _, provider := range providers {
+		versions, err := keyVerification.VerifyProvider(ctx, provider)
+		if err != nil {
+			verifyStep.AddError(fmt.Errorf("failed to verify key: %w", err))
+			verifyStep.Status = verification.StatusFailure
+			return verifyStep
+		}
+
+		for _, version := range versions {
+			subName := fmt.Sprintf("Key is used to sign the provider %s v%s", provider, version.Version)
+			verifyStep.AddStep(subName, verification.StatusSuccess)
+		}
+	}
+
 	emailStep.FailureToWarning()
 
 	return verifyStep

diff --git a/src/cmd/verify-gpg-key/verify-key-in-providers.go b/src/cmd/verify-gpg-key/verify-key-in-providers.go
@@ -0,0 +1,66 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	"github.com/opentofu/libregistry/metadata"
+	"github.com/opentofu/libregistry/provider_key_verifier"
+	"github.com/opentofu/libregistry/types/provider"
+)
+
+func buildKeyVerifier(keyData []byte, dataAPI metadata.API) (provider_key_verifier.ProviderKeyVerifier, error) {
+	keyVerification, err := provider_key_verifier.New(keyData, dataAPI)
+	if err != nil {
+		return nil, err
+	}
+	return keyVerification, nil
+}
+
+func getProvider(ctx context.Context, dataAPI metadata.API, namespace string, providerName string) (provider.Addr, error) {
+	providerAddr := provider.Addr{
+		Namespace: namespace,
+		Name:      providerName,
+	}
+	canonicalAddr, err := dataAPI.GetProviderCanonicalAddr(ctx, providerAddr)
+	if err != nil {
+		return provider.Addr{}, err
+	}
+
+	return canonicalAddr, nil
+}
+
+func listProviders(ctx context.Context, dataAPI metadata.API, namespace string) ([]provider.Addr, error) {
+	providers, err := dataAPI.ListProvidersByNamespace(ctx, namespace, false)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if len(providers) == 0 {
+		return nil, fmt.Errorf("there are no providers in namespace %s; please submit at least one provider before submitting a GPG key", namespace)
+	}
+
+	return providers, nil
+}
+
+func getProviders(ctx context.Context, logger slog.Logger, dataAPI metadata.API, namespace string, providerName string) ([]provider.Addr, error) {
+	var err error
+	var providers []provider.Addr
+	var providerAddr provider.Addr
+
+	if len(providerName) > 0 {
+		logger.Debug("Using provider", slog.String("provider", providerName))
+		providerAddr, err = getProvider(ctx, dataAPI, namespace, providerName)
+		providers = append(providers, providerAddr)
+	} else {
+		logger.Debug("Using namespace", slog.String("namespace", namespace))
+		providers, err = listProviders(ctx, dataAPI, namespace)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to list providers: %w", err)
+	}
+	return providers, nil
+}